Data Description: I have a Looker Studio report with multiple dashboards, all connected to BigQuery for underlying data. Some tables in BigQuery are base tables, while others are external. Many data sources are created as views.
The Task: I need to create a filter that ensures certain people accessing the dashboard can only see their data tied to their email.
Tried Solutions:
I tried creating a filter on each dashboard within Looker Studio using LOWER(SESSION_USER()) AS viewer_email, and then creating a calculated field with a case clause:
IF person.email = viewer_email THEN TRUE. This approach didnât work.
I tried giving BigQuery view access to specific users, but this didnât help either.
I attempted to filter by email in the data source Edit section, but it filters the data so that I canât see it, and users are shown a message saying, âYou donât have access to the underlying data.â
I wanted to create a RAP (Row Access Policies), but since some of the dashboards are views or external tables, RAP cannot be created on them in BigQuery.
Summary: The task is a bit tricky, so Iâm reaching out for help in finding a solution. Any suggestions or guidance would be greatly appreciated!
Sounds like your data source credentials are set to ViewerâŚtry setting to Owner to get the Filter by Email approach to work. But yes, if your email address is not in the data source, youâll see nothing.
The issue with credentials is that when itâs set to âdata ownerâ or âservice account,â all data is shown to all users. However, I still need to filter the data by the user accessing the report so they only see their own data. From my understanding, this should be done through viewer access, or maybe Iâm missing something. But I canât understand why they are still seeing âNo Data Set Accessâ even though they have data viewer rights at the BigQuery level and the report is shared with their exact email.
I havenât done much with BQ viewer access lately, but I looked up my notes from a previous project that sounds similar. I had to add the users as BQ Data Viewers (which it sounds like youâve done), but also had to add them as Job Users in IAM, and also had to make sure that the filtered table was set as an authorized view on the original dataset. (Again, itâs been a while since I worked on this, but maybe that will help?) I remember the permissions were tricky to get right.
I completely understand your question because Iâve worked on similar projects before. One approach that worked well for me was using this calculated field:
Email_Group is the column that contains user email addresses.
Region represents any field in your dataset that doesnât have empty values.
âFilterâ is a placeholder that gets excluded when you apply a global filter in your report.
DS_USER_EMAIL() in Looker Studio automatically retrieves the logged-in userâs email. This makes it a powerful tool for creating personalized dashboards, ensuring that each user sees only the data relevant to them without needing manual filtering.
Hope this helps! Let me know if you have any questions
Yes, Iâve tried adjusting the permissions and even gave owner credentials to the service account being used, but Iâm still receiving insufficient permissions messages on some data sources. I also tried comparing the working and non-working data sources side by side, with the same setups, but the results were different after all.
Thank you for this thorough explanation. Iâll try this approach as well. However, the question is: which permissions should be used in the backend for data sources in BigQuery?
With this approach, thereâs no need to assign special permissions at BigQuery data source level. Instead, in Looker Studio, configure the data source to use Ownerâs Credentials. This ensures that all viewers access the data through your credentials, bypassing individual user-level restrictions while maintaining controlled access
Thank you for the solution! It worked after setting up and applying the filter on each data source and adding exclusions with my own email. At first, I couldnât see the data, even with data owner permissions.